Answers for "WinCollect Agent Unable to Communicate with QRadar Appliance"https://developer.ibm.com/answers/questions/411202/wincollect-agent-unable-to-communicate-with-qradar.html
The latest answers for the question "WinCollect Agent Unable to Communicate with QRadar Appliance"Answer by JonathanPechtaIBMhttps://developer.ibm.com/answers/answers/411841/view.html
@aalsu
There is one more thing you can try that could resolve the issue. If you are uncomfortable with anything listed here, don't sweat it as the support rep can walk through this procedure with you. This is likely what the support rep will try when you talk with them after reviewing your logs.
**NOTE**: If you are not being issued a new PEM file as mentioned in my previous comment, then this could be a communication issue for TCP/8413. I don't think that is the case and this response is assuming that you are getting a new .PEM file when you've removed the existing an refreshed the WinCollect /config directory, which confirms the agent can communicate to the QRadar appliance. The support rep will likely want to verify this with you, so I'm giving you a heads up in advance. :)
For security, I removed your QRadar case number from the forum post and noted it at my desk in case the support rep asks me a question.
**What you can do**
1. Log in to QRadar as an administrator.
2. Click the WinCollect icon.
3. Locate the agent that is giving you a 0x80000007 error message from the agent list.
4. Double-click that agent and rename it to currenthostname_old. This changes the agent name in the database to a different name as it now contains _old when you save the changes.
5. You can then Delete that agent renamed to _old in the user interface. The log sources will still be created, this would only remove the agent.
6. Remote Desktop to the remote WinCollect agent that is giving you the error message.
7. Stop the WinCollect service.
8. Start the WinCollect service.
9. The agent should rediscover and be added to the WinCollect agent list. Log sources (since they were associated to the original agent name) will still function as normal when the WinCollect agent rediscovers and receives an AgentConfig.xml file from the QRadar appliance).
This would be a quick test and if you are still having issues, the support rep can track down the issue further. After talking with development, this is what was suggested that you could try yourself if you wanted.
**Alternate method**
If you don't want to go through this you can always force the system to think this is a brand new agent. This could be faster or slower, which is why I'm listing it as an alternate procedure as this method can be slower depending on how many log sources are associated to the agent. If you force the agent to discover as new, then log sources would need to be edited to look for the new WinCollect agent name in the drop-down box for each log source.
If you navigate to *C:Program Files/IBM/WinCollect/config/install_config.txt*. In this file there is a parameter called applicationidentifier=, which has the WinCollect agent name from the initial installation. This is the name used in the QRadar user interface when the agent is added to the list of all agents when you open the WinCollect icon from the Admin tab. If you were to change the value applcationidentifier= to add a 1 or an _ at the end. The QRadar appliance would think this is a brand new WinCollect agent and create a new agent, generate new keys and configurations on the QRadar appliance side. However, you would need to edit log sources assigned to hostnameA to be hostnameA_ or hostnameA1 ( or whatever you decided is the new agent name). If you are remotely polling 30+ log sources, this is not likely what you would want to do. As then you'd have to edit those log sources for the new agent name
This is an example of what some of the information looks like in the install_config.txt file:
ApplicationIdentifier=CA0DJP
ConfigurationServer=10.10.10.14
ConfigurationServerPort=8413
ConfigurationServerMinSSLProtocol=TLSv1
ConfigurationServerMaxSSLProtocol=TLSv1.2
StatusServer=10.10.10.14
ApplicationToken=lY7jC7Brm8jYqa/zhj...edited for security
BuildNumber=20
In this example, if you were to stop the WinCollect service and edit the file to be ApplicationIdentifier=CA0DJP_ then a new agent would discover in your agent list with that name and log sources that exist could be assigned to it. This would force regeneration of keys and could solve your issue.
As I mentioned, if you want to wait and schedule a call with QRadar Support, they can complete these steps for you and verify everything is working as intended.
~ Jonathan
Sorry for the long post, just trying to by throughout.Wed, 08 Nov 2017 22:50:20 GMTJonathanPechtaIBMAnswer by aalsuhttps://developer.ibm.com/answers/answers/411505/view.html
Hey @JonathanPechtaIBM, thanks for the reply; I've done as you said, but it hasn't resolved our connectivity problems. Regarding your questions:
What version of QRadar is installed on the Console (Help > About)?
We're running QRadar v7.2.8
Have you recently restored a configuration backup on the Console?
Not sure what you mean by this, can you elaborate please.
Is this impacting all WinCollect agents or just a single host?
Just one host.
I've uploaded a .doc regarding everything we've tried to resolve the issue. [Seen here.][1]
[1]: /answers/storage/temp/18410-wincollect-qradar-summary.docxTue, 07 Nov 2017 16:42:02 GMTaalsuAnswer by JonathanPechtaIBMhttps://developer.ibm.com/answers/answers/411234/view.html
**Questions**
1. What version of QRadar is installed on the Console (Help > About)?
2. Have you recently restored a configuration backup on the Console?
3. Is this impacting all WinCollect agents or just a single host?
I would try this procedure to recreate your authorized service token. This will ensure that the token in the user interface matches what WinCollect is checking against in the .PEM file. I will note that we do not recommend being on such an old version of WinCollect. I would suggest getting to a newer version of WinCollect installed. However, you will need to resolve the communication issue. Knowing the QRadar version would make this easier to understand, but start with what I put below.
**Procedure**
1. Log in to the QRadar as an administrator.
2. Click the **Admin** tab.
3. Click the **Authorized Services** icon.
4. Locate the authorized service token you created for WinCollect and record this value. You will need to use it in the command-line on the Windows host.
5. Log in to the Windows host with the WinCollect agent.
6. Stop the WinCollect service.
7. Open a command prompt and type:
C:\Program Files\IBM\WinCollect\bin\InstallHelper.exe -T <application token from QRadar>
Example:
C:\Program Files\IBM\WinCollect\bin\InstallHelper.exe -T abcde-fghe-jklm-opqrs-tuvwz
The command updates your authorized service token to be an encrypted string in the install_config.txt file, which is used to match against the .PEM file provided by the QRadar appliance.
**Before**: abcde-fghe-jklm-opqrs-tuvwz
**After**: ttMT3Wju4gqsqGfTQpr9s84uq7Gsa0R0FH8lZUzLuf1hn903UnxGENk
**What's the purpose of this test?**
This test typically can potentially locate authorized service token issues. After the command is run, you can start the WinCollect service. Then verify if communication is working as expected.Mon, 06 Nov 2017 18:32:11 GMTJonathanPechtaIBM